Email insecurity

email sign

Email was invented 50 years ago at a time when security and privacy were not major concerns.  Times have changed.  Now every government, business, hacker and vandal wants to mess with your email.  Now email has plenty of security and privacy issues.

Here are my quick suggestions for safer email and then some detailed explanations.

 

Quick suggestions for safer email

  • DO NOT open attachments or click on links in emails that are suspicious.  Be careful.
  • Use good passwords.
  • Use two email accounts – one for important stuff and a second for less important stuff.
  • Protect your important email account with 2 factor authentication.
  • Don’t put anything in an email that you wouldn’t want the world to know.
  • If you must send sensitive documents, encrypt them.
  • Don’t respond to spam or trolls.

 

Getting hacked by email

Email is the most common way to get hacked.

The results of a phishing email hack can be as ugly as identity theft, monetary loss, data loss and reputation damage.

The phishing email message may look legitimate but contains a malicious attachment or link.  This is how the bad guys grab control of your computer.  They send you an official looking email that scares or intrigues you.  The email has an attachment that you open and run.  This installs a virus.  Or the email has a link.  You click the link, open a website and a virus gets installed.  Or the link takes you to a real looking website that asks you for login credentials or personal information.

The virus can do bad things – silently monitor your keystrokes for passwords which it sends back to the hacker, encrypt your files and demand a ransom, make your computer a botnet member, change your DNS so that you browse to counterfeit websites, monitor your computer use and so forth.

Email errors and privacy

You may think that you are in control of your email, but there are plenty of ways to lose it.  Sending it to the wrong address, CC, BCC, reply all can send email off to unexpected recipients.  Realize that email can be forwarded with a click.  Walk away from your device and someone can use your account, even change the password.  Hackers.  Drunk email.

Best not to put anything you wouldn’t want the world to see in an email.

Email is forever

Nothing is forever but web mail services and business email are being backed up.  Web mail services may be backed up indefinitely.  Businesses have the right to delete after a legal retention time.  You may think that you deleted an email but it exists on a backup somewhere.   Oddly the US government considers email older than 6 months fair game to read without a warrant.  Hackers, employees, system administrators and subpoenas can get access to email.

Governments and businesses are collecting and archiving all the information that they can get their hands on including email.

What you write goes into your permanent file.

Plain text

When email is sent between systems it is usually in plain text.  This means that anyone along the way can a read, modify or make a copy of the email.  Some mail transfers are encrypted but don’t count on it.  Mail encryption software has been around a long time but never gained widespread acceptance due to its complicated nature.

When email is in plain text is gone.  Messages can be modified so authenticity is gone.  Realize that all mail messages are vacuumed up by government and business everywhere for analysis and storage and plain text is just all that easier to analyze for government and business reasons.

Other email annoyances

Spam.  Spam.  Spam.  Spam.

Scams.  Scams have been around since day one, now email is a new high tech way to commit fraud.  Examples are emails that try to trick you into thinking that you owe the IRS and need to make a payment immediately or be arrested.  Offers of romance and pharmaceuticals.  The Nigerian Prince needs your help transferring millions of dollars and will pay for your help.

Spoofed email.  Email From fields can be made to say anything and appear to be from someone important.  The email header can show the true source of an email.

Reply and Reply All gotchas.  Email clients default to Reply only to the sender.  If the message was sent to a group and people only Reply to the sender, the conversation gets fragmented real fast.

Email lacks cues for emotion so it is easy to write ambiguous email and misread the intention of email.  Is he angry?  Is she being funny?  For this reason be careful to write clearly and even add those dumb emoticons :) to clarify.  DON’T SHOUT UNLESS YOU MEAN IT!

Email overload can cause one to miss important messages.

You can do everything right but the email provider fails

An email provider can get hacked and your account can be stolen.  Yahoo! email is an example of a service that got hacked.  A flaw in an email system can expose you to exploits.

An email provider can go out of business and lock you out of your email or make mistakes and lose your email.

Customer service may be difficult or impossible for web based services.

Recovering forgotten passwords can be difficult.  Recovering passwords for the deceased can be difficult.

Business email

Every business uses email.  They want their system private and secure so that their business secrets, transactions and client information are safe.  Most businesses take their email seriously and take steps to protect and secure their systems.

One step a business will take is to require that employees read and sign an agreement called an Acceptable Use Policy (AUP) that spells out what email may be used for, limiting personal use, requirements for sending sensitive information, password requirements, antivirus requirements, cautions about phishing and attachments and more.  You may have seen warnings and policies displayed when logging on to a business system.  You may have seen those disclaimers at the bottom of business emails stating that business correspondence is confidential and if you received it by mistake you must delete it.

Business email is highly vulnerable to phishing and malicious attachments.  This is a good way for hackers to gain a foothold on one computer then penetrate the whole system.

Compromised email systems can be a big embarrassment when emails are released – think Wikileaks, the hacks of Sony and the DNC.

The company owns the computer system and everything on it including email so they have the right to monitor and read everyone’s email.  This can be done in an automated fashion, looking for keywords.  Realize that the company sees everything in email.

Use discretion with personal use of company email.  Employees can be disciplined or fired for email errors, misuse or use contrary to company HR policies.  If you aren’t getting promotions, maybe it is because you called the boss a clown in email.

At work, use your smartphone for personal email.  If you wish to use a web mail service at work at least check site’s certificate in your browser for evidence of a proxy.

 

Where is your email stored?  Two ways to email

There are two popular ways to send, receive and store email.  One way is using an email client on your computer and the other is using a web based email service.

An email client such as Outlook stores your email in a big file on your computer.  It will receive emails from a server (POP3) or synchronize emails with a server (IMAP and MAPI).  One advantage is that you have all your email on your computer and don’t need an Internet connection to access it, like on the road.  But there are many disadvantages to storing your email this way.  The worst is you can lose all your email if you move it from the server to your client (POP3 with delete) and then lose your client by having your computer stolen, lost or the hard drive fails.  People rarely backup to avoid this loss. Another disadvantage is that your email is only accessible on the one device.  Outlook is good in a business environment with exchange server and nerds to maintain it all but for the home and small business user I recommend a web based email service.

Web based email services include AOL Mail, Gmail, Outlook/Hotmail and Yahoo! Mail.  The advantages of web based mail is that you can access it from any Internet device via browser or app and the service backs up your email.  These services offer free accounts with plenty of storage and include other services like calendars and online office suites.  The disadvantage of web email services is that they use and sell your information to advertisers, business and anyone else.

There are other ways to use email.  One is to use a paid service that promises not to read or sell your email info.  Choose a service in a neutral country to avoid government interference.  You can use your own mail server.  You can encrypt everything.

Email at untrusted locations

Using email at untrusted locations such as public libraries or a friend’s computer carries the risk of keystroke loggers.

Using email with untrusted WiFi is best done with a VPN.

Look for the https:// in the address bar to know that you are using an encrypted connection to the website.

 

Posted in Uncategorized | Tagged , , , , , | 1 Comment

Bitcoin

bitcoin logoHere is my experience with Bitcoin and some resources.

Bitcoin is an innovative payment network and a new kind of money.

Bitcoin uses peer-to-peer technology to operate with no central authority or banks; managing transactions and the issuing of bitcoins is carried out collectively by the network. Bitcoin is open-source; its design is public, nobody owns or controls Bitcoin and everyone can take part.

- bitcoin.org

Bitcoin

I set up a Bitcoin wallet.  Then I bought some bitcoin which was deposited to my wallet.  Now I’m ready to buy and sell with bitcoin.

The details.  Actually I set up two wallets.  The first is with an online exchange (coinbase.com) which I linked to my checking account.  I transferred an amount of money from my checking account to the wallet.  As a second test, I transferred money from a credit card to the wallet.  This wallet is accessible from the website and a smartphone app.

My second wallet I set up on my computer with wallet software from electrum.org.  I used a Bitcoin ATM to transfer US dollars (paper bills) to my Electrum wallet.  This wallet is only accessible on my computer but I made a printout of my QR code so I could deposit money at the Bitcoin ATM.

Electrum wallet for Bitcoin.

Electrum wallet for Bitcoin.

The details of the fees and wait times for transferring money into a wallet are laid out in tables at the end of this post.

Bitcoin transactions are done with the wallet software and the receiving address.  The receiving address is a long alphanumeric string of 34-36 characters which can be typed in but is more easily scanned in via QR code, copy and pasted or read from a file.

bitcoin_electrum_send

Electrum wallet send bitcoin.

Electrum wallet receive bitcoin.

Electrum wallet receive bitcoin.

For mobile transactions, the smartphone rocks, displaying the QR code on the screen and reading the QR code by camera.

Now my definition of Bitcoin –

Bitcoin is numbers in a public ledger that represent people’s holdings in bitcoin.  Bitcoin is just encrypted numbers.  People keep a copy of their Bitcoin numbers in a wallet, ready for transactions.  A Bitcoin wallet can be an app, computer program, website or paper.  The Internet is required to glue it all together.  The Bitcoin public ledger is distributed, maintained, encrypted and secure.  Bitcoin has value as long as people value bitcoin.

Pros

  • Cool
  • Private
  • Not controlled by governments, banks, anyone
  • Lower fees than credit cards for merchants
  • The underlying technology is fascinating – cryptography, block chains, Internet
  • International
  • Transactions are “instant” (seconds or minutes for extra confirmation)

Cons

  • Requires technology and understanding how to use it
  • Bitcoins can be lost or stolen by errors, loss, failure, hackers
  • Lost bitcoins are forever lost
  • Bitcoin transactions cannot be reversed (like a credit card transaction can be reversed)
  • Confusion about legality and taxation
  • May be illegal in some locations
  • Limited acceptance by merchants
  • Converting cash to Bitcoin and back can be inconvenient and fee based
  • The Bitcoin system could fail – crashing down in value or completely or become illegal

Backup your wallet and use a good password.  Choose a reputable exchange for wallet storage and currency exchange.

The Bitcoin reputation has been tarnished by being associated with purchasing illegal items, money laundering and the Dark Web.  On the good side, major merchants accept bitcoin – Microsoft, Dell, Virgin Atlantic, Sacramento Kings examples – as well as charities, mom and pop businesses, people and politicians(!) (see Wikipedia entry for Bitcoin).

The history of Bitcoin is a hoot. It was invented by a person named “Satoshi Nakamoto” in 2008 who disappeared from the scene without anyone knowing his real identity or fate.  I hope this genius is fat and happy living off his Bitcoin millions somewhere.

I have enjoyed my dive into Bitcoin.  Will I use it?  Only time will tell.

Check it out.  Get a wallet, some bitcoin and enjoy.

Resources

Documentation

Web site:  bitcoin.org

Web site:  wikipedia.org Bitcoin

Book:  Bitcoin for the Befuddled (2015)

Book:  Bitcoin for Dummies – 1st edition (2016)

Video documentary: The Rise and Rise of Bitcoin (2014)

Video documentary: Bitcoin: the End of Money as We Know It (2015)

Wallets

electrum.org

coinbase.com

Bitcoin Exchange

coinbase.com

Internet resources

Locate Bitcoin ATMs:  coinatmradar.com

Blockchain information:  blockchain.info

 

My research to buy bitcoin

buy bitcoin from method of purchase % fee wait time notes
coinbase.com credit card 4 instant
coinbase.com checking account 1.5 with $0.15 minimum 5 business days ACH
Bitcoin ATM – coinucopia.io cash 3 instant
person to person cash exchange for bitcoin 0 to 15 or fixed price markup (example 7%) instant parties negotiate exchange rate
person to person sell item(s) for bitcoin instant

My research to sell bitcoin

sell bitcoin to deposit cash to % fee wait time notes
coinbase.com checking account 1.5 with $0.15 minimum 2 business days
coinbase.com USD wallet 1.5 instant
person to person buy item(s) for bitcoin instant
person to person cash exchange for bitcoin 0 to 15 or fixed price markup (example 7%) instant parties negotiate exchange rate
Bitcoin ATM some Bitcoin ATMs will convert bitcoin to cash for fee
Posted in Uncategorized | Tagged , | Leave a comment

Updating a Samsung Galaxy S3 ATT phone to CyanogenMod 12.1

Mark shows off his Samsung Galaxy S3 phone with CyanogenMod 12.1

I updated my 4 year old Samsung Galaxy S3 ATT phone with CyanogenMod.

The original Android version was sluggish, boring and insecure. The new Android version is lively, fresh and more secure.

CyanogenMod is an open source Android operating system for Android smartphones.

I am very happy with the end result.

Note that the process to update an Android phone is very specific to the phone model and my experience is with the Samsung Galaxy S3 sold by ATT USA model SGH-I747 with the original Android 4.4.2 (Jelly Bean).

Pros and cons to upgrading an Android phone to CyanogenMod

The good

  • New life for an old phone
  • New clean user interface
  • New features
  • No vendor crapware
  • Faster performance
  • Updates
  • Open source
  • Free

The bad

  • The Internet is filled with multiple ways to update, some outdated, some inaccurate
  • Complicated project that requires a level of technical knowledge
  • Time consuming project – research, backups, file copies, installing Android SDK, first boot are all time consuming

The ugly

  • Possible to brick the phone (render it broken)

I always wanted to try CyanogenMod being a big fan of open source software and clean user interfaces.

But I was afraid to experiment with my one phone, fearing the worst, bricking it then be suddenly without a phone.

Then I bought a new mobile phone and that left me free to experiment.

After a lot of research on the Internet and watching YouTube videos I realized that I could do it but wanted to find the easiest and most reliable path to CyanogenMod.

There is a confusing variety of methods for

  • carrier unlocking (if needed)
  • rooting (if needed)
  • boot unlocking (if needed)
  • flashing a bootloader
  • selecting the CyanogenMod ROM
  • backing up the original ROM
  • transferring files to the phone’s SD storage
  • flashing the CyanogenMod ROM
  • flashing Google Apps
  • and other details

I chose going to the origin, CyanogenMod, for the instructions and links to required software. CyanogenMod is abbreviated CM and the website is cyanogenmod.org.

I found the CM instructions for my phone good but not detailed and I did have some glitches.

If you are going to follow my path, I recommend using the CM instructions and reading my notes below.

I am very pleased with the results! My 4 year old Samsung Galaxy S3 is a joy with the new clean interface, lively performance, new features and security updates. Well done CyanogenMod people.

CM 12.1 (the ROM I chose) is based on Android 5.1 Lollipop. The new features I have discovered so far include Task Switcher, photo editing features, tethering, Encrypt phone and File Manager Secure storage.

I do not miss the crapware installed by ATT and Samsung on the original issue carrier locked phone.

When my 2 year contract with ATT completed I asked for the carrier unlock code which they supplied.  I carrier unlocked my phone so that I could transfer my service to a less expensive pay as you go carrier and I kept my same phone number.

Google has discontinued support for Android KitKat. Plenty of security vulnerabilities have been found and exploited for this OS. No security updates is inexcusable and an ugly industry dirty secret.

I made sure my phone information was synced to my Google account so I did not mind wiping it. If your phone has important data (apps, SMS, contacts, photos, whatever) please backup.

Here are the notes on my path to update. I used a Windows 7 PC in the process. This worked for me Nov 26, 2016. I do not guarantee this process or the results.

How to install CyanogenMod on this phone.

https://wiki.cyanogenmod.org/w/Install_CM_for_d2att

Heimdall is a cross-platform, open source tool for interfacing with Download Mode on Samsung devices. The preferred method of installing a custom recovery is through this boot mode.

Rooting the stock firmware is neither recommended nor necessary.

The Heimdall Suite requires a SPECIFIC version of Microsoft Visual C++ 2012 Redistributable Package (x86/32bit) make sure you grab the right one.

How to install the new bootloader.

I used TWRP (Team Win Recovery Project, I was curious about the acronym) https://dl.twrp.me/d2att/twrp-2.8.7.0-d2att.img

I did not see a “blue transfer bar” as described in the instructions.

After installing this bootloader is is a good idea to backup your present ROM to the SD card (careful, the default is to internal storage)

Downloads

For CM I used “Download Latest Release” from

https://download.cyanogenmod.org/?device=d2att

For Google Apps (required if you will use Google Store) I downloaded CyanogenMod 12.1 OpenGApps from https://wiki.cyanogenmod.org/w/Google_Apps

Later you can flash them both at the same time.

How to install Android Studio. This will give you the adb utility and full app development if you want to play with that. Note installing this software takes a long time.

https://developer.android.com/studio/index.html

How to make adb command work from any folder with a Windows path edit

https://wiki.cyanogenmod.org/w/Doc:_adb_intro

Add to Windows path

;C:\Users\username\AppData\Local\Android\sdk\platform-tools\

In the string above, modify username to match your path.  Also, your path may be different.

Then reopen Windows terminal for the path to be in effect.

Adb issues and a workaround

Adb utility did not work for me so I could not issue the “adb reboot nvbackup” command or adb push commands. Maybe something to do with enabling Developer options and USB debugging https://wiki.cyanogenmod.org/w/Doc:_developer_options but this step is not in the instructions. Maybe Windows USB driver issues.

I ended up copying the CM ROM and Google Apps ROM manually to my SD card and flashing them from SD.

In retrospect is Google Studio with adb even necessary if it is only used to push files from the PC to the phone? There are other ways to put the files that you need on the phone’s SD card.  Put the SD card in your PC SD card slot or use a SD card adapter and copy files.  Or before the update, plug a USB cable into the PC and phone and copy files.  Copy files to the SD card root folder.  The two files that you need are the CyanogenMod and OpenGApps, both .zip files in my case.

Terminology

The terms used for installing and updating Android are confusing. The memory on the phone where Android is installed is interchangeably called ROM, firmware, flash memory and memory.  Android is called a mobile operating system, Operating System and OS.  The Android file is called software, image, package or zip file.  The process of installing and updating Android is also called flashing.

People often say “flashing the ROM” meaning installing the software, ie CyanogenMod, to the phone.

Yes ROM means Read Only Memory and is a historical term still used but not accurate.

First boot of CM takes forever! Do not panic!

Resources

Wikipedia

Cyanogenmod.org

Cyanogenmod.org wiki

How to Reset the phone to factory, not required but here for reference http://www.wikihow.com/Reset-a-Samsung-Galaxy-S3

Samsung Galaxy S 3 (S III) SGH-I747 for ATT (AT&T) specifications.

Posted in Uncategorized | Tagged , , | Leave a comment

Raspberry Pi

The Raspberry Pi is a simple, low cost, single-board computer.

Raspberry_Pi_B-_u

Raspberry Pi B+ single board computer

The Raspberry Pi was developed in the UK to teach computers and programming to students.  The default R P runs Linux and has the Python programming language installed.  First released in 2012, several updated models have been released since.  The list price has remained at $35USD.

https://www.raspberrypi.org

The hardware specs are similar to a smartphone or tablet as far as processor and memory but the architecture is more like a desktop with an HDMI video connector, USB ports for keyboard, mouse and other peripherals, RJ45 for network and an SD card for storage.

https://en.wikipedia.org/wiki/Raspberry_Pi

Don’t get ready to replace your desktop with the R P just yet.  The fact that it runs Linux will stop many and it is rather underpowered. Browser performance is slow and YouTube worse.

But if you are looking for a single board computer to learn about computers/Linux/Python or you have a maker/builder project in mind, the R P  can’t be beat.

To set up a complete R P system you will need:

– The Raspberry Pi single board computer
– Monitor with HDMI input and cable
– USB keyboard
– USB mouse
– SD card 16 or 32 GB
– Power adapter (charging adapter for a smartphone or tablet works) with a cable ending in Micro USB

If you don’t have the supporting hardware and are on a budget, think friends, garage sales, second hand stores.

Now you need a R P Operating System (OS) on the SD card.  The default recommended is Raspbian.  You can buy an SD card with Raspbian ready to go or use a computer connected to the Internet to download it and write it to the SD card.  For example with Windows download Raspbian and use Win32DiskImager to write the bootable Raspbian OS to the SD card.

Optional
– Internet connection for updates, new software and just doing Internet things.
– Case for R P (it is a bare naked PCB which is cool to look at but in a rough environment needs a case)
– Speakers (if not built into your HDMI capable monitor) more better amplified speakers because the sound output of the R P is weak
– USB wireless adapter for Ethernet instead of the RJ45 cable

Isis says so hook up your new Raspberry Pi computer and lets see what it does

Isis says so hook up your new Raspberry Pi computer and lets see what it does

Here are my notes on setting up a R P computer.  There are several hardware versions and many software options so your mileage may vary.

There are tons of resources out there for everything R P.  Use your favorite search engine to find what you need.

For example here are great instructions about getting started

http://lifehacker.com/5976912/a-beginners-guide-to-diying-with-the-raspberry-pi

I will warn you that bumps in the road are ahead

– fractured support for different models
– the GB keyboard will confound you by switching the @ and “
– Internet browsers run slow

Assemble your R P and boot

Raspberry Pi boot and at the prompt.  This Raspberry Pi is in a case.

Raspberry Pi boot and at the prompt. This Raspberry Pi is in a case. The connections are (starting lower left and moving counter clockwise) USB micro power, HDMI video, RJ45 Ethernet, USB keyboard, USB mouse.

Linux boots!  You are at a login command prompt!

raspberrypi login:  pi
Password:  raspberry

You are back at the command prompt!

Now what?  Two suggestions – start the xwindows graphical environment and start exploring or configure your system.

Xwindows GUI

To start Xwindows, at the command prompt type startx

Point and click!  Explore the Menu and see what you have available.

Epiphany Web Browser
File Manager
Terminal
Python programming language
Leafpad text editor
Accessories like Help, Calculator, Image viewer, PDF viewer, other stuff.

In Xwindows –
End Xwindows back to the command prompt:  Menu > Logout (keyboard shortcut:  <Ctrl><Alt><Backspace>)
Shutdown the computer:  Menu > Shutdown

RP configuration

sudo raspi-config will get you into the R P Software Configuration Tool where you can expand your filesystem to use the entire SD card, Internationalisation Options, and Overclock

Expand your filesystem is a good thing to use the entire SD card space.

Internationalisation.  The default UK keyboard swaps @ and “.   Change the keyboard to US layout here.
Generic 102
English (US)
The default
No Compose
Ctrl+Alt+Backspace Yes

Overclock.  R P seems to encourage overclocking.  As the R P is slow, try it.

New software and OS updates

In R P the way to get new software and OS updates is with the package manager.  The package manager connects to trusted repositories of software.  This is like an app store.  Updating and installing software from repositories is more secure.

To update all package availabilities:  sudo apt-get update

To install a program for example Firefox type the command (but note the name change, there is some drama)

apt-get install iceweasel

Say hello world in Python

Create a Python script and run it –

In Xwindows,
Menu, Accessories, Text Editor,
enter
print “Hello world”
File, Save As, Select folder pi, Name: hello_world.py
Menu, Accessories, Terminal,
type
python hello_world.py

This is a really simple overview of R P.

R P is a very cool computer with unlimited potential.  Well done R P.

5 million R Ps have been sold.

The latest version is Raspberry Pi 2 with a faster processor and more memory.

Microsoft has announced support for Windows 10 on the R P 2

The R P has a 40 pin GPIO for builders.

There is a large community to support and promote R P.

Builders find more and more uses for R P and share their work.

Posted in Uncategorized | Tagged , | Leave a comment

Big data is tracking me and my cat

My cat buddy Horus coughs and sneezes a lot so I typed the symptoms into
google.com.

I learned that heartworms are a possible cause of coughing.

So I visited several web sites about cats and heartworms to educate myself.

Three months later I received in the mail an offer for dog heartworm
medicine.

bayer_heartworm_mailer_address

Coincidence?  I think not.  Google and/or big data is collecting, saving,
correlating and selling my personal Internet data.

The downside to all this correlation is false data gets entered into your
file.

I have never owned a dog.  I like dogs.

There are no heartworm medicines for cats.

Sorry Horus my buddy.

Horus and MCE

Horus helping me work on a computer.

=======================================

Another example of being tracked – selling a Supermicro server on craigslist gets me a full page Supermicro server ad in Time magazine.

In January of 2015 I sold several old computers on craigslist including a Supermicro brand server.

I have a subscription to Time magazine in my name and address and in the June 1, 2015 issue there appeared a full page ad for Supermicro servers.  I doubt that the typical reader of Time magazine is interested in full page ads for Supermicro computer servers so I suspect the connection was made and I was targeted.

The Supermicro full page ad in my issue of Time magazine.

The Supermicro full page ad in my issue of Time magazine.

Posted in Uncategorized | Tagged , | Leave a comment